Hi polonus I dont use bitcoins however i do use p2ping with steam downloads however these are delivered over limelight networks.

I decided to Quit the application after the cmd.bat wouldnt be created during the OTL (it went into a locked up mode.) so i exited the application and went back in, copied and pasted everything EB posted (on the newest post) and it went smooth without issues!
Please find attached the new results. Ive also seen OTL has created 2 new folders in _OTL (under root) i was wondering do i move the files back to there original places? (the ones which are being moved to a root folder.)

In addition find attached the requested log from the latest scan.

Also to keep you updated ive discovered additonal ip’s also attacking. (see below)

107.20.145.76:443 x3 dropbox (we dont not use dropbox so found this weird.) in addition it seems to be tired to an EC2 VM https://stat.ripe.net/107.20.145.76#tabId=at-a-glance AMAZON-02 - Amazon.com, Inc. 
31.13.64.23:443 x2 (facebook ireland) 
23.61.255.57:80 AKAMAI-ASN1 - Akamai International B.V.
173.194.34.111:443 Google
50.19.81.238:443 (Another Amazon EC2 Instance)

Dropbox may have been the images I use in my posts as that is where I stuff them all

:OTL @Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP

Hey Essexboy, i didnt run the first test because i thought it may not work with the newer test you sent me. Should i copy everything in or just the :OTL @Alternate Data Stream ?

In addition the following IP has also sent out a DoS

67.227.200.203:80 (from the bot website another IP address thought.
Previously attacked at 11:54:30 AM same port.

Hi OliPicard,

Yes we must look for some mining backdoor malware variant, like Bitminer or Graybird like suspicious riskware, because of this Virginia Ashburn IP, also known from W32/BitCoinMiner.A, namely IP 50.19.81.238 that you also mention…

polonus

Ok, Glad we are on the case of figuring this out polonus! Now its trying to figure out the removal. Also @Essexboy should i run the datastream one using the OTL with everything you have posted previously.

Thanks
Oliver

Ive ran a OTL scan with the new scan as requested by Essexboy

In addition ive rebooted then ran a Quickscan, have included both extras and OTL log.

Have also just had another attack. Upon looking into this IP it seems connected to another IP which sent a simular request a couple of hours ago.

178.33.61.70:80 Seems to be related to 67.227.200.203:80 which attacked at 03:28:29 PM  

It keeps doing that because something is blocking this bot restarter program’s authentication - could be either av or firewall…

pol

Strangely enough we dont have a bot setup, this could be a malware/botnet? I think we both discovered it might be related to W32/Downloader.F.gen!Eldorado (alternative name dorkbot)

I can see no indication of that at the moment … So I will now search for hidden drivers/files

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

No bot it is all coming from this server. Do you see any connection here? http://myip.ms/info/whois/67.227.200.203/k/2854431429/website/www.thebuddyforum.com

polonus

Would that tie in with steam somehow ?

Hi Essexboy, From steam’s side nope, they run there own servers on valve.net and also CDN is done by limelight. I am alittle worried running combofix as ive seen it can cause peoples machines to go alittle odd and has been pulled from bleepingcomputer due to being infected.

Just had a new DoS attack

62.75.178.11:5202 https://stat.ripe.net/62.75.178.11#tabId=at-a-glance

It was pulled about three weeks ago and the bad copy deleted. The current version is OK

That is unrelated to the traffic you experience. And essexboy certainly knows what he is doing. He is the best qualified remover we have here and he is instructor at G2G as well. You cannot get better removal assistance on the Interwebs, believe me!
I am just into website code and IP analysis, and seen loads and loads of issues. That is my specialty. So I think out aloud on an experience basis. Essexboy must drag that baddie out. Trust us, we get to it, we’d find the little b*gger!

pol

PS Just initiate the test you find here: https://www.grc.com/dns/dns.htm (because av and firewall do not protect)
Give me the results of your DNS Nameserver Spoofability Test

D

Find the combofix log attached.

Also Polonus, Did that DNS test came back with
Anti-Spoofing Safety: Excellent

Also did the sheildUP test too, THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

Ive also PM’d Polonus the results from sheildsup. Seems to look good from here. As for combofix, the log above provides details, I was wondering after we remove whatevers causing this can we uninstall combofix?

Thanks